Different alert text and subject for different alerters

[Neuro-HSOC]

Hi all,

is there any way to specify different alert text and subject values for different alerters? For example I have a couple of rules, which alert by email and into TheHive. Would be quite nice to have different alert content for those two to accommodate the different formats (e.g. HTML in the mail, pure text for TheHive).

As far as I can tell from reading the code, I guess the answer is "Not supported for now" but maybe I'm missing something. :-)

Best regards,
Sebastian

[ferozsalam]

Hello!

This is possible with TheHive alerter, which sets defaults but also checks the provided config and updates anything which is populated in it:

        alert_config = {
            'artifacts': [],
            'customFields': {},
            'date': int(time.time()) * 1000,
            'description': self.create_alert_body(matches),
            'sourceRef': str(uuid.uuid4())[0:6],
            'tags': [],
            'title': self.create_title(matches),
        }
        alert_config.update(self.rule.get('hive_alert_config', {}))

If you set:

hive_alert_config:
  title: 'Custom subject'
  description: 'Custom description'

It should give you what you need. Let me know if this doesn't work.

[Neuro-HSOC]

Hi Feroz,

this indeed works but with one drawback. Due to the simple update of the dictionary, this is limited to plain text without parameters/templates, isn't it?

Hm, I anyhow thought about dusting of my python skills and contributing a "Markdown based summary table" feature. Maybe I simply add this to things to look into. :-)

Thanks for pointing out nonetheless.

Best regards,
Sebastian

[ferozsalam]

Hey Sebastian - you're right - you can't currently have both different text per alerter and match data interpolation, you have to choose one of the two at the moment, as the current alerter defaults to using the built-in ElastAlert interpolation for alert_text_args.